cross post frrom < C896QJRPE|rke> But here it goes I m installing RKE2 agent on a windows worker Should I just use the URL given from ranchers custom cluster gt registration Or should I follow instructions from <https docs rke2 io install windows airgap > I cant find any other installation documentation for the agent

I mean cluster management gt clusters gt registration Step 2 I copy the url with curl exe and paste it into my windows worker

cross post frrom < C896QJRPE|rke> But here it goes I m insta rancher-users #rke2

#rke2

Title

# rke2

bright-whale-83501

09/19/2022, 6:04 PM

cross post frrom #rke But here it goes: I'm installing RKE2 agent on a windows worker. Should I just use the URL given from ranchers custom cluster -> registration. Or should I follow instructions from https://docs.rke2.io/install/windows_airgap/ (I cant find any other installation documentation for the agent)

creamy-pencil-82913

09/19/2022, 6:07 PM

When you say the custom cluster registration URL, you mean the one that lets you download the Rancher installation manifest for application to the downstream cluster?

RKE2 agents should be pointed at an RKE2 server, not at Rancher.

bright-whale-83501

09/19/2022, 6:13 PM

I mean cluster management -> clusters -> registration. Step 2, I copy the url with curl.exe and paste it into my windows worker.

wins-agent-install.ps1

creamy-pencil-82913

09/19/2022, 6:27 PM

yes, that should work, if you’re using Rancher for provisioning

the RKE2 docs don’t cover Rancher provisioning. They only cover standalone RKE2 clusters. Rancher docs in Rancher docs, RKE2 docs in RKE2 docs.

bright-whale-83501

09/19/2022, 6:29 PM

I do. But I've had a horrible time getting things to work. Biggest problem is our self signed CA, I pass --insecure to rancher but it does not matterr. So I swapped out curl.exe in windows with 2 releases newer, and that version accept our ca, if I rebuild the cerrtificate-bundle in windows.

But the installation process ends up in a loop right after calico cni have been brought alive. kubelet.exe are extracted again, and cant be replaced on the disk, since kubelet.exe are already executing in windows.

If I manually kill that process and delete kubelet.exe, the installer continues. But ends up in a loop

Looking at the logs in windows I think this is the main error, but I dont know how/where to poke to solve it: "Cluster CA certificate is not trusted by the host CA bundle, but the token does not include a CA hash. Use the full token from the server's node-token file to enable Cluster CA validation"

Amazing. I think I solved the last hurdle. I added --insecure into the part that downloads kubeconfig from rancher.

it's very strange. Even thou I run my own curl.exe, that have curl-ca-bundle.crt in the same folder it did not accept our CA. All previous curl.exe calls, utilize curl-ca-bundle.crt, For the record, its function Get-RancherConnectionInfo that I needed to add --insecure into

creamy-pencil-82913

09/19/2022, 7:08 PM

ah yeah, there may be issues with proxies and custom CAs on Windows. I know that the golang crypto libs don’t make it easy to interact with the Windows certificate store.

bright-whale-83501

09/19/2022, 7:28 PM

its curl.exe that (this time) didnt play with the certstore, at all

most google hits, gladly tell you to just add -k or --insecure. But I wanted to pass my ca cert. Almost worked